1 files changed, 48 insertions, 21 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index bcdfdaee3..b074efa3a 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -26,11 +26,11 @@ import (
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/secrets"
 	"github.com/containers/storage/pkg/idtools"
-	"github.com/mrunalp/fileutils"
 	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
+	opentracing "github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -170,10 +170,15 @@ func (c *Container) cleanupNetwork() error {
 // Generate spec for a container
 // Accepts a map of the container's dependencies
 func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
+	span, _ := opentracing.StartSpanFromContext(ctx, "generateSpec")
+	span.SetTag("type", "container")
+	defer span.Finish()
+
 	execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, nil)
 	if err != nil {
 		return nil, err
 	}
+
 	g := generate.NewFromSpec(c.config.Spec)
 
 	// If network namespace was requested, add it now
@@ -235,13 +240,6 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		}
 	}
 
-	// Bind builtin image volumes
-	if c.config.Rootfs == "" && c.config.ImageVolumes {
-		if err := c.addLocalVolumes(ctx, &g, execUser); err != nil {
-			return nil, errors.Wrapf(err, "error mounting image volumes")
-		}
-	}
-
 	if c.config.User != "" {
 		// User and Group must go together
 		g.SetProcessUID(uint32(execUser.Uid))
@@ -483,6 +481,19 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO
 	if c.state.State != ContainerStateRunning {
 		return errors.Wrapf(ErrCtrStateInvalid, "%q is not running, cannot checkpoint", c.state.State)
 	}
+
+	// Create the CRIU log file and label it
+	dumpLog := filepath.Join(c.bundlePath(), "dump.log")
+
+	logFile, err := os.OpenFile(dumpLog, os.O_CREATE, 0600)
+	if err != nil {
+		return errors.Wrapf(err, "failed to create CRIU log file %q", dumpLog)
+	}
+	logFile.Close()
+	if err = label.SetFileLabel(dumpLog, c.MountLabel()); err != nil {
+		return errors.Wrapf(err, "failed to label CRIU log file %q", dumpLog)
+	}
+
 	if err := c.runtime.ociRuntime.checkpointContainer(c, options); err != nil {
 		return err
 	}
@@ -678,20 +689,12 @@ func (c *Container) makeBindMounts() error {
 			// If it doesn't, don't copy them
 			resolvPath, exists := bindMounts["/etc/resolv.conf"]
 			if exists {
-				resolvDest := filepath.Join(c.state.RunDir, "resolv.conf")
-				if err := fileutils.CopyFile(resolvPath, resolvDest); err != nil {
-					return errors.Wrapf(err, "error copying resolv.conf from dependency container %s of container %s", depCtr.ID(), c.ID())
-				}
-				c.state.BindMounts["/etc/resolv.conf"] = resolvDest
-			}
 
+				c.state.BindMounts["/etc/resolv.conf"] = resolvPath
+			}
 			hostsPath, exists := bindMounts["/etc/hosts"]
 			if exists {
-				hostsDest := filepath.Join(c.state.RunDir, "hosts")
-				if err := fileutils.CopyFile(hostsPath, hostsDest); err != nil {
-					return errors.Wrapf(err, "error copying hosts file from dependency container %s of container %s", depCtr.ID(), c.ID())
-				}
-				c.state.BindMounts["/etc/hosts"] = hostsDest
+				c.state.BindMounts["/etc/hosts"] = hostsPath
 			}
 		} else {
 			newResolv, err := c.generateResolvConf()
@@ -706,6 +709,14 @@ func (c *Container) makeBindMounts() error {
 			}
 			c.state.BindMounts["/etc/hosts"] = newHosts
 		}
+
+		if err := label.Relabel(c.state.BindMounts["/etc/hosts"], c.config.MountLabel, true); err != nil {
+			return err
+		}
+
+		if err := label.Relabel(c.state.BindMounts["/etc/resolv.conf"], c.config.MountLabel, true); err != nil {
+			return err
+		}
 	}
 
 	// SHM is always added when we mount the container
@@ -759,8 +770,24 @@ func (c *Container) makeBindMounts() error {
 
 // generateResolvConf generates a containers resolv.conf
 func (c *Container) generateResolvConf() (string, error) {
+	resolvConf := "/etc/resolv.conf"
+	for _, ns := range c.config.Spec.Linux.Namespaces {
+		if ns.Type == spec.NetworkNamespace {
+			if ns.Path != "" && !strings.HasPrefix(ns.Path, "/proc/") {
+				definedPath := filepath.Join("/etc/netns", filepath.Base(ns.Path), "resolv.conf")
+				_, err := os.Stat(definedPath)
+				if err == nil {
+					resolvConf = definedPath
+				} else if !os.IsNotExist(err) {
+					return "", errors.Wrapf(err, "failed to stat %s", definedPath)
+				}
+			}
+			break
+		}
+	}
+
 	// Determine the endpoint for resolv.conf in case it is a symlink
-	resolvPath, err := filepath.EvalSymlinks("/etc/resolv.conf")
+	resolvPath, err := filepath.EvalSymlinks(resolvConf)
 	if err != nil {
 		return "", err
 	}
@@ -810,7 +837,7 @@ func (c *Container) generateResolvConf() (string, error) {
 	}
 
 	// Relabel resolv.conf for the container
-	if err := label.Relabel(destPath, c.config.MountLabel, false); err != nil {
+	if err := label.Relabel(destPath, c.config.MountLabel, true); err != nil {
 		return "", err
 	}